AV Evasion With the Veil Framework Christopher Truncer, Will Schroeder, and Michael Wright
As antivirus (finally) has started to slowly increase in effectiveness, more and more of the payloads used during penetration tests are being caught. While the industry as a whole has demonstrated its capabilities of bypassing AV solutions in nearly all situations, valuable assessment time is often lost.
The Veil-Evasion Framework (Veil) was developed to solve this problem by offering a modular, open-source, and UI focused framework for generating AV-evading payloads in a programming language and technique agnostic way. Veil's structure greatly simplifies payload generation and allows for the integration of public and private AV evasion methods. In this talk we will go over the genesis of the framework, its structure and features, and how to develop your own payload modules. Recently released modules will also be covered, and our implementation of a lesser known shellcode injection method will be released.
We will also cover public reaction and disclosure ethics, and we plan on releasing Veil-Catapult, our payload delivery tool. Veil-Catapult extends the capabilities of the existing Veil framework by utilizing various methods to deliver and trigger payloads across targeted machines. We will conclude with a discussion of current and future mitigation strategies to combat Veil's effectiveness.
The Veil development team is comprised of Will Schroeder (@harmj0y), Chris Truncer (@christruncer), and Mike Wright (@TheMightyShiv), a group of pentesters based in the D.C. region and primarily employed by the Veris group. They spend their days doing assessments and their nights researching and building new tools such as Veil.